A quick post, because this has affected me...
When you create HTML with Flask (while people need to use Jinja2, sometimes I want stuff working), you will need to escape it. Flask has a function for escaping HTML. Perhaps I should use it!
Too bad the docs didn't say you had to wrap it in a
str() unless a soup of HTML code is your thing.